Changes in cec8d1c: Updated gre-plus-ipsec-debian (markdown)

				gre-plus-ipsec-debian.md
			
          @@ -17,6 +17,7 @@ Example policy on 1.2.3.4:

           spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require;

           spdadd 5.6.7.8 1.2.3.4 gre -P in  ipsec esp/transport//require;

           ```

          +Change the direction on 5.6.7.8.

           ## Load the IPsec security policy into the IPsec security policy database

           Load the policy with the setkey command.

          @@ -27,3 +28,46 @@ Afterward check the policy database with:

           ```

           setkey -DP

           ```

          +

          +## Configure the racoon daemon

          +```

          +path pre_shared_key "/etc/racoon/psk.txt";

          +path certificate    "/etc/racoon/certs";

          +log info;

          +

          +listen {

          +  # replace with local tunnel endpoint

          +  isakmp      1.2.3.4 [500];

          +  isakmp_natt 1.2.3.4 [4500];

          +}

          +

          +# replace with remote tunnel endpoint

          +remote 5.6.7.8 [500] {

          +  exchange_mode    main;

          +  proposal_check   strict;

          +  my_identifier    asn1dn;

          +  peers_identifier asn1dn;

          +  lifetime         time 1 hour;

          +  certificate_type x509 "local.crt" "local.key";

          +  peers_certfile   x509 "remote.crt";

          +  ca_type          x509 "ca.crt";

          +  verify_cert      on;

          +  send_cert        off;

          +  send_cr          off;

          +  

          +  proposal {

          +    encryption_algorithm  aes 256;

          +    hash_algorithm        sha256;

          +    authentication_method rsasig;

          +    dh_group              modp4096;

          +  }

          +}

          +

          +# local tunnel endpoint, remote tunnel endpoint, GRE ip protocol number

          +sainfo (address 1.2.3.4 address 5.6.7.8 47) {

          +  pfs_group                modp4096;

          +  lifetime                 time 1 hour;

          +  encryption_algorithm     aes 256;

          +  authentication_algorithm hmac_sha1;

          +  compression_algorithm    deflate;

          +}

          \ No newline at end of file

...	...	@@ -17,6 +17,7 @@ Example policy on 1.2.3.4:
17	17	spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require;
18	18	spdadd 5.6.7.8 1.2.3.4 gre -P in ipsec esp/transport//require;
19	19	```
	20	+Change the direction on 5.6.7.8.
20	21
21	22	## Load the IPsec security policy into the IPsec security policy database
22	23	Load the policy with the setkey command.
...	...	@@ -27,3 +28,46 @@ Afterward check the policy database with:
27	28	```
28	29	setkey -DP
29	30	```
	31	+
	32	+## Configure the racoon daemon
	33	+```
	34	+path pre_shared_key "/etc/racoon/psk.txt";
	35	+path certificate "/etc/racoon/certs";
	36	+log info;
	37	+
	38	+listen {
	39	+ # replace with local tunnel endpoint
	40	+ isakmp 1.2.3.4 [500];
	41	+ isakmp_natt 1.2.3.4 [4500];
	42	+}
	43	+
	44	+# replace with remote tunnel endpoint
	45	+remote 5.6.7.8 [500] {
	46	+ exchange_mode main;
	47	+ proposal_check strict;
	48	+ my_identifier asn1dn;
	49	+ peers_identifier asn1dn;
	50	+ lifetime time 1 hour;
	51	+ certificate_type x509 "local.crt" "local.key";
	52	+ peers_certfile x509 "remote.crt";
	53	+ ca_type x509 "ca.crt";
	54	+ verify_cert on;
	55	+ send_cert off;
	56	+ send_cr off;
	57	+
	58	+ proposal {
	59	+ encryption_algorithm aes 256;
	60	+ hash_algorithm sha256;
	61	+ authentication_method rsasig;
	62	+ dh_group modp4096;
	63	+ }
	64	+}
	65	+
	66	+# local tunnel endpoint, remote tunnel endpoint, GRE ip protocol number
	67	+sainfo (address 1.2.3.4 address 5.6.7.8 47) {
	68	+ pfs_group modp4096;
	69	+ lifetime time 1 hour;
	70	+ encryption_algorithm aes 256;
	71	+ authentication_algorithm hmac_sha1;
	72	+ compression_algorithm deflate;
	73	+}
...	...	\ No newline at end of file